ANTIVIRUS BYPASSING FOR FUN AND PROFIT

Submitted Apr 18, 2019

Section: Full talk Technical level: Intermediate

Why This Presentation?

Everyone uses Antivirus systems and believes in them to protect us against cyber threats. Antivirus systems are very important to us. They stand as the major protection mechanism for our computers and confidential data.

But how often do we test these systems for their capabilities?
Almost never as these Antivirus systems are sold only based on market/industry reputation and the security staff almost never test them for their capability. If you look from a penetration tester’s point of view, then fooling the Antivirus systems is
quiet easy and not more than a weekend job.

It took me a weekend of research and evades 57 Antivirus Engines. Bypassing Antivirus vendors is common task for malware authors.
This presentation is to motivate the Antivirus vendors and to make them aware of techniques used by malware coders to bypass their Systems. Also this is to motivate the IT security architects to not rely completely on the Antivirus engines to protect the end user.

What will I be presenting?

I will be taking the most well known and well detected shellcode from Metasploit framework:
shell_reverse_tcp
And use my tricks/techniques to bypass the Antivirus engines. The shellcode will remain the same but the way I execute it will change. Simply fooling the Antivirus Engines and bypassing it.

I will be using VirusTotal website to test the signature based malware detection. It has about 52 Antivirus engines to test the malware for Detection. Further I will be testing the detection for 3 Antivirus engines running on virtual machines to show Heuristics/behavioural evasion and Firewall bypass by the malware.

I will be bypassing Antivirus engines and their Detection mechanisms (Hash based detections, Signature based Detection, firewalls, Heuristics and sandbox analysis)

This presentation will be with a plenty of Live Demo. So look closely.

Outline

INTRODUCTION
TECHNIQUES TO BYPASS ANTIVIRUS ENGINES
ATTEMPT 0 : USING THE METASPLOIT GENERATED EXE TEMPLATE (METASPLOIT-SIMPLE-PAYLOAD.EXE)
ATTEMPT 1: USING A CUSTOM CODE TEMPLATE TO EXECUTE THE SHELLCODE (CUSTOM1.EXE)
ATTEMPT 2 : FINDING LOOPHOLES IN THE VIRTUALIZATION SYSTEM OF THE ANTIVIRUS ENGINES TO EXECUTE THE SHELLCODE(VIRT_BY_REV.EXE)
ATTEMPT 3: ENCRYPTING THE SHELLCODE(CUSTOMENC.EXE) AND ADDING SLEEP CALLS AND NOPS TO EVADE EMULATORS (CUSTOMENCSL.EXE)
ATTEMPT 4: ADDING NOP’S AND HEX EDITING (ENCODNP_XR.EXE) WITHOUT ANY FUNCTIONALITY LOSS
ATTEMPT 5 : CODE INJECTION (REMOTE_XOR_NETSTAT_GETPROC_SLEEP.EXE)
ATTEMPT 6: GHOST-WRITING AND USING METAMORPHIC CODE TO BYPASS ANTIVIRUS AND HEURISTIC DETECTION (FINAL.EXE)
Q/A
IMP: There will be lots of Live Demo’s for every step of Antivirus Bypassing

Speaker bio

Vanshit Malhotra has bean a Cyber Security Researcher for more than 8 years and possess knowledge in all aspects of IT security testing and implementation with expertise in solution building for large organisations, managing cross-cultural teams and planning & execution of security needs beyond national boundaries. He is a cyber security Specialist, passionate about hacking, more for the intellectual challenge, curiosity & adventure.

Vanshit Malhotra has been an Investigator of Industrial Espionage, Insider Threats and numerous Cyber Crimes. He has also authored numerous published research papers, articles and blogs. He is a sought after public Speaker and Cyber Security Researcher, presenting his research at many international security conferences such as “HACKON-2016”, “HACKTECH 2017”, "National Cyber Safety and Security Standards (NCDRC) 2017”, “c0c0n X 2017”, ”HAKON 2017”, “OWASP Seasides 2019”.

In his current profile, he leads team super specialists in cyber security to protect various clients from Cyber Security threats and network intrusion by providing necessary solutions and services to institutions and organisations.

Call for round the year submissions for Rootconf in 2020